Microsoft discovers undisclosed bug in SolarWinds server

New Delhi, Jan 22 (IANS): While monitoring threats related to a Java logging system called 'Apache log4j2', Microsoft researchers have discovered a previously undisclosed bug in the SolarWinds software that was compromised last year.

During the sustained monitoring of threats taking advantage of the 'Log4j2' vulnerabilities, the Microsoft Threat Intelligence Centre (MSTIC) team observed activity related to attacks being propagated via a previously undisclosed vulnerability in the SolarWinds 'Serv-U' software.

"We discovered that the vulnerability is an input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation," Microsoft said in its security update.

SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitised.

"SolarWinds has updated the input mechanism to perform additional validation and sanitisation. No downstream affect has been detected as the LDAP servers ignored improper characters," the company said, adding that it affects 15.2.5 and previous versions.

Microsoft reported the discovery to SolarWinds and they immediately patched the vulnerability.

"SolarWinds has updated the input mechanism to perform additional validation and sanitisation. To ensure proper input validation is completed in all environments, SolarWinds recommends scheduling an update to the latest version of Serv-U," said the company.

Microsoft warned that the Russia-based cyber criminals, behind the massive SolarWinds software attack last year, are on the prowl again, this time targeting organisations integral to the global IT supply chain.

The Russian nation-state actor 'Nobelium' has targeted at least 140 resellers and technology service providers in global IT supply chains, it said.



Top Stories

Leave a Comment

Title: Microsoft discovers undisclosed bug in SolarWinds server

You have 2000 characters left.


Please write your correct name and email address. Kindly do not post any personal, abusive, defamatory, infringing, obscene, indecent, discriminatory or unlawful or similar comments. will not be responsible for any defamatory message posted under this article.

Please note that sending false messages to insult, defame, intimidate, mislead or deceive people or to intentionally cause public disorder is punishable under law. It is obligatory on Daijiworld to provide the IP address and other details of senders of such comments, to the authority concerned upon request.

Hence, sending offensive comments using daijiworld will be purely at your own risk, and in no way will be held responsible.